Dutch minister of Justice Ivo Opstelten is certainly being a busy boy. Just a few days have passed since his last letter and now he has written another one, equally worrying or perhaps more so. In short, he is suggesting in a as yet not public letter that the Dutch police should have the right to hack. Excuse me? Yes, a right to hack.
Another day, another worrying proposal from the Dutch government. As we await the formation of a new cabinet, Dutch minister of Security and Justice, Ivo Opstelten is seeking to change Dutch law to make it mandatory for suspects of certain crimes to hand over their decryption keys so that law enforcement officers can have access to their private data. Failure to comply would constitute a criminal offence.
In the aftermath of the Diginotar hack, I wrote an article that mentioned we needed a silver bullet to solve the problems with the current state of SSL and certificate authorities. Of course the Internet wouldn’t be the Internet if such a silver bullet didn’t emerge sooner or later. Famous hacker Moxie Marlinspike has announced Convergence, a tool to verify the identity of websites without the need for a Certificate Authority.
We are living in an age where information is fast becoming the most important commodity. This has created a new class of poor people. Apart from the ‘have-nots’ we now also have the ‘know-nots’, people who are not privy to certain types of information. Because information is so valuable, lots of companies, agencies and governments are doing their utmost to get their hands on our data. I recently did a little survey of my own situation and I came to the conclusion that there are well over 120 separate entities who have some kind of information about me. These are just the entities that I am aware of, of course. There may be many more that I am not immediately aware of, like marketing companies, stores, publishers and last but not least: government agencies.
In June 2011 Diginotar, a Dutch provider of SSL certificates, was hacked. The hack was probably carried out by hackers working for the government of the sovereign nation of Iran for the purpose of obtaining forged SSL certificates for a number of high level domains, such as Google and Yahoo, among others. With the help of those forged certificates, it was possible to snoop on encrypted communication of Iranian citizens by using them in a classic “man in the middle” attack. While the successful hack is significant in and of itself, it has far-reaching implications for the entire world.
Welcome to the second instalment of the ssh files. In this instalment, we’ll be taking a look at logging in without a password, using public key authentication. The major benefit of logging in through public key authentication, is that you will only have to remember the pass phrase of your key and no longer a dozen or more passwords on different servers. Also, setting your ssh daemon to only allow public key authentication will foil any attempts by script kiddies to brute force your password…because there isn’t one.